Master public key is quantum proof?

[RealBitcoin]

I am referring to  BIP 32, and the deterministic wallets. Is the master public key quantum proof in the sense that can a quantum computer reverse engineer the child private keys from the master public key?

I am specifically interested if this holds true for Electrum wallet as well. (But I posted in this board, since it is a general question about BTC security).

Public parent key → private child key

This is not possible.

The bip documentation says it's impossible, but does it hold true from quantum computers as well?

[1715008807]

1715008807

[1715008807]

1715008807

[1715008807]

1715008807

[1715008807]

1715008807

[1715008807]

1715008807

[buhrmi]

With a powerful enough quantum computer, nothing holds true.

[achow101]

BIP 32 keys are still ECDSA keys. Therefore they have the same problems that all ECDSA keys have, which is to say they are not quantum resistant.

[RealBitcoin]

BIP 32 keys are still ECDSA keys. Therefore they have the same problems that all ECDSA keys have, which is to say they are not quantum resistant.

Well i have done some research and most experts say that in the context of child keys:

Unspent addresses are safe against quantum hackers -> Because the public key is not revealed,so unless somebody posts his public key on facebook, it should hold, because it has another layer of RIPEMD protecting it. That should hold against quantum computers.

However I want to see what is the context of this theory in the BIP32 wallets ,where we are talking about master public keys.

[achow101]

BIP 32 keys are still ECDSA keys. Therefore they have the same problems that all ECDSA keys have, which is to say they are not quantum resistant.

Well i have done some research and most experts say that in the context of child keys:

Unspent addresses are safe against quantum hackers -> Because the public key is not revealed,so unless somebody posts his public key on facebook, it should hold, because it has another layer of RIPEMD protecting it. That should hold against quantum computers.

However I want to see what is the context of this theory in the BIP32 wallets ,where we are talking about master public keys.

The Extended public keys are not hashed. Otherwise it would not be possible to actually get the public key and derive the non-hardened child addresses. This means that once QCs are viable, you should not hand out your xpub because then the public key can be gotten and the corresponding private key can be retrieved. Then the attacker can derive all of your address's private keys and steal your Bitcoin.

[RealBitcoin]

BIP 32 keys are still ECDSA keys. Therefore they have the same problems that all ECDSA keys have, which is to say they are not quantum resistant.

Well i have done some research and most experts say that in the context of child keys:

Unspent addresses are safe against quantum hackers -> Because the public key is not revealed,so unless somebody posts his public key on facebook, it should hold, because it has another layer of RIPEMD protecting it. That should hold against quantum computers.

However I want to see what is the context of this theory in the BIP32 wallets ,where we are talking about master public keys.

The Extended public keys are not hashed. Otherwise it would not be possible to actually get the public key and derive the non-hardened child addresses. This means that once QCs are viable, you should not hand out your xpub because then the public key can be gotten and the corresponding private key can be retrieved. Then the attacker can derive all of your address's private keys and steal your Bitcoin.

This is what I feared, so basically BIP 32 is useless then, and better keep bitcoin in 1 unspent address.

[achow101]

This is what I feared, so basically BIP 32 is useless then, and better keep bitcoin in 1 unspent address.

No, it isn't useless. Just don't give out your Master public key. It is still useful for deterministic backups.

One thing to remember is that the keys are not derived off of each other. The keys are derived from the master public key, not the child key that came before it. So it is still safe to use BIP 32 wallets, just don't give out your Master public key and don't derive child keys based on addresses you already used.

[RealBitcoin]

This is what I feared, so basically BIP 32 is useless then, and better keep bitcoin in 1 unspent address.

No, it isn't useless. Just don't give out your Master public key. It is still useful for deterministic backups.

One thing to remember is that the keys are not derived off of each other. The keys are derived from the master public key, not the child key that came before it. So it is still safe to use BIP 32 wallets, just don't give out your Master public key and don't derive child keys based on addresses you already used.

Yeah but you cannot use it as watching only, since the master pub key is exposed. Yeah its still good for normal use but not the "ultimate security" i was expecting.

Any chance the BIP32 will be uppgraded to quantum resistance and make master public keys hardened?

[achow101]

This is what I feared, so basically BIP 32 is useless then, and better keep bitcoin in 1 unspent address.

No, it isn't useless. Just don't give out your Master public key. It is still useful for deterministic backups.

One thing to remember is that the keys are not derived off of each other. The keys are derived from the master public key, not the child key that came before it. So it is still safe to use BIP 32 wallets, just don't give out your Master public key and don't derive child keys based on addresses you already used.

Yeah but you cannot use it as watching only, since the master pub key is exposed. Yeah its still good for normal use but not the "ultimate security" i was expecting.

Any chance the BIP32 will be uppgraded to quantum resistance and make master public keys hardened?

The only way to get quantum resistance is to move off of ECDSA altogether. In that case, everything would move to a quantum resistance signing algorithm. Once QCs start becoming more viable, I think that there is a very high chance that there will be a fork to move Bitcoin to a quantum resistant algo.

[RealBitcoin]

This is what I feared, so basically BIP 32 is useless then, and better keep bitcoin in 1 unspent address.

No, it isn't useless. Just don't give out your Master public key. It is still useful for deterministic backups.

One thing to remember is that the keys are not derived off of each other. The keys are derived from the master public key, not the child key that came before it. So it is still safe to use BIP 32 wallets, just don't give out your Master public key and don't derive child keys based on addresses you already used.

Yeah but you cannot use it as watching only, since the master pub key is exposed. Yeah its still good for normal use but not the "ultimate security" i was expecting.

Any chance the BIP32 will be uppgraded to quantum resistance and make master public keys hardened?

The only way to get quantum resistance is to move off of ECDSA altogether. In that case, everything would move to a quantum resistance signing algorithm. Once QCs start becoming more viable, I think that there is a very high chance that there will be a fork to move Bitcoin to a quantum resistant algo.

Ok but I was referring to as using a bitcoin address without public key, unspent, viewing it from a block explorer

VS

Using a BIP32 wallet, where you have to expose the master pub key to use it watch only.


So a BIP32 wallet has inferior security than 1 single address.

[achow101]

Ok but I was referring to as using a bitcoin address without public key, unspent, viewing it from a block explorer

VS

Using a BIP32 wallet, where you have to expose the master pub key to use it watch only.


So a BIP32 wallet has inferior security than 1 single address.

In that regard, yes it is less secure. It would be impossible to hide the public key while still being able to derive all of the addresses for lookup.